|
|
近期在搞ARK,发现一件事情就是如果病毒木马在获取操作系统的版本值得路径上做手脚的话,比如设置兼容模式,就会引起杀毒软件报错从而无法加载,当然这个Bug一去不复返了。那么我们如何克服这个Bug呢?答案在内核文件上。
我们要解析PE文件结构,本文偷懒,只搞了32位的版本。
总体思路如下:打开文件->读取NT文件头->读取可选文件头的MajorImageVersion、MinorImageVersion,这两个值就是GetVersionEx得到的NT主版本号和次版本号了!代码如下:
- Public Sub GetFileVer(ByVal lpFileName As String,ByRef Version As Double)
- Dim hFile As Long
- Dim SecAttr As SECURITY_ATTRIBUTES
- Dim DosHead As IMAGE_DOS_HEADER
- Dim NtHead As IMAGE_NT_HEADERS
- Dim dwRead As Long
- Dim pBuffer As Long
- SecAttr.nLength = 12
- SecAttr.bInheritHandle = False
- hFile = CreateFile(lpFileName, GENERIC_READ, 0, SecAttr, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0)
- If hFile <> -1 Then
- SetFilePointer hFile, 0, 0, 0
- ReadFile hFile, VarPtr(DosHead), Len(DosHead), dwRead, ByVal &H0
- If DosHead.Magic <> &H5A4D Then MsgBox "Invalid Application", vbExclamation, "Error": Exit Sub
- pBuffer = VirtualAlloc(0, DosHead.lfanew + Len(NtHead), &H1000, &H4)
- ReadFile hFile, pBuffer, DosHead.lfanew + Len(NtHead), dwRead, 0
- RtlMoveMemory VarPtr(NtHead), pBuffer + DosHead.lfanew, Len(NtHead)
- Version = NtHead.OptionalHeader.MajorImageVer + NtHead.OptionalHeader.MinorImageVer /10
- CloseHandle hFile
- Else
- MsgBox "Failed to open file!", vbExclamation, "Error"
- End If
- End Sub
貌似对PE文件结构的定义,VB的coder对其各有各的定义,那么我贴出我这里的定义
- Public Type SECURITY_ATTRIBUTES
- nLength As Long
- lpSecurityDescriptor As Long
- bInheritHandle As Long
- End Type
- Private Type IMAGE_DOS_HEADER
- Magic As Integer
- cblp As Integer
- cp As Integer
- crlc As Integer
- cparhdr As Integer
- minalloc As Integer
- maxalloc As Integer
- ss As Integer
- sp As Integer
- csum As Integer
- ip As Integer
- cs As Integer
- lfarlc As Integer
- ovno As Integer
- res(3) As Integer
- oemid As Integer
- oeminfo As Integer
- res2(9) As Integer
- lfanew As Long
- End Type
- Private Type IMAGE_FILE_HEADER
- Machine As Integer
- NumberOfSections As Integer
- TimeDateStamp As Long
- PointerToSymbolTable As Long
- NumberOfSymbols As Long
- SizeOfOtionalHeader As Integer
- Characteristics As Integer '标志Dll
- End Type
- Private Type IMAGE_DATA_DIRECTORY
- DataRVA As Long
- DataSize As Long
- End Type
- Private Type IMAGE_OPTIONAL_HEADER
- Magic As Integer
- MajorLinkVer As Byte
- MinorLinkVer As Byte
- CodeSize As Long
- InitDataSize As Long
- unInitDataSize As Long
- EntryPoint As Long
- CodeBase As Long
- DataBase As Long
- ImageBase As Long
- SectionAlignment As Long
- FileAlignment As Long
- MajorOSVer As Integer
- MinorOSVer As Integer
- MajorImageVer As Integer
- MinorImageVer As Integer
- MajorSSVer As Integer
- MinorSSVer As Integer
- Win32Ver As Long
- ImageSize As Long
- HeaderSize As Long
- Checksum As Long
- Subsystem As Integer
- DLLChars As Integer
- StackRes As Long
- StackCommit As Long
- HeapReserve As Long
- HeapCommit As Long
- LoaderFlags As Long
- RVAsAndSizes As Long
- DataEntries(15) As IMAGE_DATA_DIRECTORY
- End Type
- Public Type IMAGE_NT_HEADERS
- Signature As Long
- FileHeader As IMAGE_FILE_HEADER
- OptionalHeader As IMAGE_OPTIONAL_HEADER
- End Type
本文的代码中只要对文件结构的定义作出修改,改成PE32+的文件结构,就能兼容到Win64了。 |
|
发表于 2016-2-19 23:31:07
发表于 2016-2-20 01:54:26